The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

:fail: does not work to stop spoofed returned addresses

Discussion in 'General Discussion' started by jackie46, Jun 18, 2006.

  1. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Its intestesting that :fail: does not stop spoofed return mail.

    We have 5 domains constantly being targetting with ridiculous return email addresses.
    :fail: is set on all 5 domains.

    Yet the message is being delivered to the mail queue irregardless of the :fail: setting.

    :fail is supposed to stop anyuser@domain.com and it does but when it is a spoofed return, :fail: is ignored and the message is sent to the mail queue anyway.

    Anyone have any idea why :fail: does not stop these messages?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Setting the default address to :fail: should reject all mail to any invalid local user.

    This means that mail will be rejected if the To: address is not a valid local mailbox or forwarder.

    The return address, spoofed or otherwise, is not relevant here.
     
  3. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Nope, doesnt work.

    When a message arrived from a spoof its, kulkujelkjhrl@domain.com and it does not get rejected. But if the message is sent to the domain with the same user and domain name its rejected by :fail:.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    What's the To: address in such cases?
     
  5. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    An example is to: kulkujelkjhrl@domain.com. domain.com exists on the server but user kulkujelkjhrl does not so what im saying is :fail: does nothing in this instance and its sent to the queue.

    But if i send a message directly to kulkujelkjhrl@domain.com then its rejected.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing this as well. Got 5 of them this weekend.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Are you sure the messages aren't CC's or BCC's? A message may have headers such as:

    To: nonexistant@domain.com
    Cc: realaddress@domain.com, anotherreal@domain.com


    This would mean that realaddress@domain.com and anotherreal@domain.com would receive the messages, but the To: line would still say nonexistant@domain.com. As to why these messages are going to the queue and not to the mailboxes, I don't know. Perhaps the mailboxes are at their individual quota limits.
     
  8. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Nope, the are bounces from spammers who used ulkujlkjlkj@myusersdomain.com and its bouncing back to our server because the domains exist here but :fail: does not stop them from piling up in the queue even if they are not being delieverd. They are not being delivered because catch-all is turned off for these domains so it goes to the queue.
     
  9. WebScHoLaR

    WebScHoLaR Well-Known Member

    Joined:
    Dec 14, 2005
    Messages:
    511
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Planet Earth
    Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.

    * This saves bandwidth as the email data is never received into your server
    * This saves server resources as the email never has to be processed
    * This complies with the SMTP RFC's because the sending SMTP server receives the DENY command
    * Your server does not send a bounce message (just the DENY command)
    * Your server does not send anything to the sender of the email (i.e. the address in the From: line)
    * The sending SMTP server is responsible for notifying the original sender
     
  10. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Webscholar, obviously you didnt read and follow the thread. I already said, :FAIL: is set on all 5 domains!!!!!!!!!!!!!!

    I understand the process but fail does not do a thing to stop spoofed mail. The message always arrives from <>. It is addressed to oiuoiuelruk@domain.com and its accepted even if ;fail: is set on the account. Maybe cpanel should look at their code and fix this issue.

    So, i rewrote the rules and i havent seen a bounce back to a non existant email address since i added the changes. Spoofed mail is now being denied and so is any ridiculous email address sent to the domain in question via :fail:
     
    #10 jackie46, Jun 19, 2006
    Last edited: Jun 19, 2006
  11. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Would you mind sharing?

    I'd also be interested to see what Chirpy has to say on the matter.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    So would I. My guess is it's due to the mail conversion we did a while back. This is a problem. I've just recieved another 5 of them that should have failed.
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I am seeing this. I have bounces in queue that are destined for fake@my_hosted_domain.com and they did not originate from my box. They came in as a bounce and just sit there. It's not a forwarder or anything special. I am also seeing something weird in this way. I forward my nobody, cpanel and root mail to an address I check. In the last week or so I have been getting emails that seem to be for accounts I host. ..ahh scratch that. I looked in the headers just now and can see "postmaster" as a BCC. I think I have a global postmaster forwarder ..but I can't remember where it is :(
     
  14. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    /etc/myaliases, quite possibly.
     
  15. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Wow, great post jackie46. I have a client who has been a victim of this problem for a couple weeks and I never even noticed that the To: address of non-existant@theirdomain.tld should not even be getting through! This is a DEFINITELY a solution that needs to be shared. So glad you posted this! Hoping you post your rewrite as well...
     
  16. trevorgehman

    trevorgehman Registered

    Joined:
    Jul 19, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
  17. bamm

    bamm Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Sorry to open a month old thread but curious how others have resolved this issue? The suggestions at webhostgear already exists in my exim.conf and does not resolve the problem.

    Another issue I am seeing are emails sent to username@servername, these are totally ignored by :fail:. I attempted to add the username to /etc/aliases and while that works to filter emails sent to the username@servername, manually adding users to /etc/aliases is quite tedious.

    So, with this said, the mail queues across my servers are being inundated with email sent to non existent email addresses even though their default is set to :fail: AND inundated with emails sent to username@serveraddress.

    Any help/suggestions would be greatly appreciated.
     
  18. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Same here!

    Same here... I have the same problem described in this thread...

    Any solution yet? :rolleyes:
     
Loading...

Share This Page